Cyber security – breach notification obligations on the way

 

Last year saw an increase in the frequency and intensity of cyber-attacks, including the NotPetya attack, which brought several companies to a standstill.

This year will see significant changes to the legal framework as the General Data Protection Regulation, Network and Information Systems Directive and revised Payment Services Directive come into play. These laws impose new data security obligations and increased sanctions.

Importantly, they also impose strict breach notification rules. For example, under the GDPR, a personal data breach must be notified to the Information Commissioner within 72 hours if it presents a risk to individuals. If the breach is high risk, the affected individuals must also be notified. The deadline for notifying breaches under the revised Payment Services Directive is just four hours. Companies will need to make employees aware of these obligations and provide suitable reporting processes.

Find out more.